Overview

overview

10

Static

static

5

eca6408eea...18.exe

windows7-x64

10

eca6408eea...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eca6408eeaf6f2cc300fb7c809337a0a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    eca6408eeaf6f2cc300fb7c809337a0a

  • SHA1

    6380f35c00ed2af128e4523544c4b6ecdc5c5880

  • SHA256

    6f9bda0f88b5f2b9766a2f59d9bdbf1e7e8daf14ff52a193bd77b2971282a7df

  • SHA512

    fc9c85fad7defad890d51d9ac0f3d5f8094badfb2719e8cb420fa81afbedaf8fbb6be6bd2feb012671a03af5024c3bdf9a1f4ad249bba009bc64c8d999446d19

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5T

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eca6408eeaf6f2cc300fb7c809337a0a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eca6408eeaf6f2cc300fb7c809337a0a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3328
    • C:\Windows\SysWOW64\xdkcqrlpec.exe
      xdkcqrlpec.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Windows\SysWOW64\rfqzhwsl.exe
        C:\Windows\system32\rfqzhwsl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4680
    • C:\Windows\SysWOW64\wakbbdspywqnwqc.exe
      wakbbdspywqnwqc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4636
    • C:\Windows\SysWOW64\rfqzhwsl.exe
      rfqzhwsl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3288
    • C:\Windows\SysWOW64\chtmqtardguji.exe
      chtmqtardguji.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2544
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    8bbc1beae91ec5d57cbfecc4f98a2b4c

    SHA1

    3e0b595dc87781c70c4b54aad05ad90fd63f5013

    SHA256

    9ab36fc29c189b52c4960038211368277371799f08a0d95e554635143a5bc68d

    SHA512

    f468e8770a187ceff21f919e263f1e5daaec9765efe12bf7a7ccf573b95f34e1e249a8d636af64566342d749a4b7385beb57feb5bc43345b46c4b378ddcaafd8

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    6121ad0aa2b786043544ce2548124e63

    SHA1

    a942f0ca912723ac31f1267d55c9c377d03af214

    SHA256

    cc639411f192832eb6ed2e5b4deee09fe0b0c77074daa886fdc5073b5fb40b1f

    SHA512

    f2fe52aec8c8988592bd44a4721e36b7d496d1dbc23269ff65e15df48dd3b2434888a25584b67b585ec7d951ba37eda5780aae31cc6a2ed25261851e4449468f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDE43F.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    436B

    MD5

    792412ac83b7b49953ad793318812c9d

    SHA1

    a79548ced285f9c45f3bd3265a246c2f9c2ec217

    SHA256

    816bdfa6c5e9415c19424b779d8cb876502f6216c94509cb6da8ec395922cd87

    SHA512

    d8d938366240d0173eb81c4b43b3fc32cbc6fd99c3bc51834c1e415de658b23943fce72585d8170dd848245c287d8b1e1b3894303f79e717be10aaed063596b9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    91788ab0b53dc59906df328aecde4746

    SHA1

    b79dd10edac40a43c90d0239ce0301b35d8261e6

    SHA256

    ebb0a05e38d18db6c709af665a08367af15d812dd6607bf93861212c636430b1

    SHA512

    47d83d26338feaba8b380aa5fe90ff5933f8ce8b445d2264616848af006227e1126f0ddb2fa2ca134ae9c5bd030724a3b00da21c552ba5e0100c68b6ca0525a7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    4KB

    MD5

    b8861b4085dc3b14b207bcfe8484a5e2

    SHA1

    1a8cb8b192baeed6474f94e1b9d24576103a6c8e

    SHA256

    40bf4be70ae9ed8656faf4a8240b377884ca74449d4e1fc549abdb5f0984251a

    SHA512

    8ff4fcff38e7b0c0ec3ff8c3486ddc820d2da943a27087ca7ca7353a00f16f3b311a6e339d3be2667110b3558492130f72a1cdb15b779ecdd203ffdb5ed0ea4c

    Download Submit

  • C:\Users\Admin\Documents\ExitCompress.doc.exe
    Filesize

    512KB

    MD5

    6dd9f388ff7a261a32b11fd81e46d43d

    SHA1

    631c5423a5c1b0cac096a535638f64e2cedfba6d

    SHA256

    e67a13c6441991e2cd26cd821a3faa4e3c5714b689df5b5d63272cab9d575156

    SHA512

    7436d529dc2d48acd7b3f7c4103f201be9964321d9735e46e1f947ac21be092ecf62dbf2e388b684ad893030fde933dc62dbb427e3c822d51af2afd2bab45856

    Download Submit

  • C:\Windows\SysWOW64\chtmqtardguji.exe
    Filesize

    512KB

    MD5

    35f3f715a1c2766c82d9e6b66c6ddde1

    SHA1

    572d282eb6f47a3cb4512f31eb16c20873f6689f

    SHA256

    699630d5018b0bab6eb84e7c9dbbdabe8850a060f7d15330fda85b06049e2482

    SHA512

    04bb3b0b13080e27d0450293cc6363df7df6bd6a0159c7b87fbbc77e045ccdd5288df99eb9c3e657ec6294fcc8e1c7ab8dcf9a5f0ef9ebe3853437d0a2bfab9a

    Download Submit

  • C:\Windows\SysWOW64\rfqzhwsl.exe
    Filesize

    512KB

    MD5

    16354a6759db6c5c74644310ecc7cad4

    SHA1

    0146128d98bb82692d97aa7efa95613b8fe64e3d

    SHA256

    a30f0a23eecf24699c64b2b29945f8deb6ee529156cbd55039a3d0c29b9026c3

    SHA512

    36acd7eaaf5f6993a4a7b4126deda6d14adb0e6bdca092d78b694785ebfb74566e0bbabc9676b12aa6791b02626b5d760741e6c46e9687e4dfd1c0e3cd7bc737

    Download Submit

  • C:\Windows\SysWOW64\wakbbdspywqnwqc.exe
    Filesize

    512KB

    MD5

    664f1ef4dcb7ea85cd993ca24d4cd0dd

    SHA1

    aa54b5ae74d25e7b9bffcd481c6dde5db1bb581b

    SHA256

    c1a4344e00b02c3beccf215ca577c70aab4ddb9458942f73ead00785779aa66c

    SHA512

    8e7fd1ddc7dcbd3491d4b70b87154994d3ebeedae734fc1c5dcc4755d989fdcf651091186ba5fe9e1492155604257c15137bbe274064c96506f9b383bf0b99c8

    Download Submit

  • C:\Windows\SysWOW64\xdkcqrlpec.exe
    Filesize

    512KB

    MD5

    f3700197c3d596661d04c722eebd20e1

    SHA1

    1f18f9a91b090aaccb96e235eec4727abe5c6cbe

    SHA256

    798e1b14b7f5e9421b525b89ad88d9972fd365920290450f201f54469cfab92e

    SHA512

    13d0bf020860ed452f0efb38355525726679dc365f41d6182f38a3e47242a41293b1f5c6361512c6bb76adf2422f983d87f19d5472c79dbd633daf2986bdecd6

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    ab39bf3964ebe11421684ff063d4f300

    SHA1

    0ba585e3417fc16be544a4c0955e2722f83b7262

    SHA256

    e770f876c67ab995bf27532895e72293ca4922a42397457122e07c8268677b2e

    SHA512

    d9593e71e342d8a4ed5056f3c547fd5b8afc36be8d720a3c7f5535c0310458acc2f37f479eb3f5b6662589be7bf80c4e3ada6de905528d66044194c9145a51b3

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    edb980f2bd0be5be266ae172daf63e5e

    SHA1

    aa6122540f1e986728127f7720709f36c99a8def

    SHA256

    961a79bfb0cad1fcdb38ba53d15727428aa737e78f6dd702d7f325010f39d3ed

    SHA512

    e432439cfc1f0909245308cfe829ff6982a6fd75d6ae5d7ed9fe88afe3e49068ac7d3ed08f4a6b7bd4200d6ad84b1f40d3eca3a7d6765bef8d9e887023368296

    Download Submit

  • memory/3328-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4428-39-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-40-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-38-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-41-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-42-0x00007FF806B30000-0x00007FF806B40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-43-0x00007FF806B30000-0x00007FF806B40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-36-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-246-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-248-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-247-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-245-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

    Filesize

    64KB

    Download