Overview

overview

10

Static

static

5

eccbf884c0...18.exe

windows7-x64

10

eccbf884c0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 03:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eccbf884c07fbcb4bca01da23b37fc7c_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    eccbf884c07fbcb4bca01da23b37fc7c

  • SHA1

    2089fcaed9844fe8e99ca91b4125176f425a23fb

  • SHA256

    f0e56e43e1e13274643bbf83eac6e2c109d9564e395fe8a89bb5732a00ec6271

  • SHA512

    21b7ebee3acea2405bd35eb974af38084590fde0e48241818faa75843f7f702508273eb1b9e1cb0d3fce611e100b001acf34cd91b2a9572fde70150316640dcd

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eccbf884c07fbcb4bca01da23b37fc7c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eccbf884c07fbcb4bca01da23b37fc7c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\nmvifryviw.exe
      nmvifryviw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\lmesmklv.exe
        C:\Windows\system32\lmesmklv.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2964
    • C:\Windows\SysWOW64\ufkzqmucumtvhxq.exe
      ufkzqmucumtvhxq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2916
    • C:\Windows\SysWOW64\lmesmklv.exe
      lmesmklv.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:584
    • C:\Windows\SysWOW64\ozwksogefqcng.exe
      ozwksogefqcng.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2808
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:316

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    6
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      af1e8f1cb9c47711ee50abc29a283b39

      SHA1

      c1add6ca88ebcc33c91b4227a750bd89a1a60a1b

      SHA256

      d8535df1285bc8cb06d4dc6f0b8bda10abe9c353d7b7b9f1b9e924e1ec1559e5

      SHA512

      029810590e0bb288268317aafdd7e01fc71092282b3b0d512c6aa348313ca6680442e21a8a62364575bebbeac4c8fa76a693c8717b36dbc31866b356c460ef0d

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      c0dd0504e17f0fe6dc1741a4b36d67bf

      SHA1

      34725342f85fc38876a4415316414e0b6373394a

      SHA256

      6f074e77f31d9cd49ca316a4ed4aaa89af917822e07368702abd90a6e1940933

      SHA512

      a10727927af0ebc82c2f1705c4b76ad721bec4f5a101c1fea52bba4a23ef1b872a416793b60c8bc396d139949f0def5d81dfaa1da53cf9a29a2864fa3f6b0d91

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      386B

      MD5

      e91567e5b167d6aa191de30da466d8aa

      SHA1

      95452fe319f3830604c4a78f0e3cff014622b2d9

      SHA256

      494f370997f2c3337c7db76291159a55f26a6c96a9642273e7ceca948721dbfb

      SHA512

      4536d70cf214f95758062d58c64106068d1b347b957a6f0db68259e9f9309451acdd9536e4c654ff7af9b2698df602e8cdcb154708c48735987f576b908d40a2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      7bcdad1affec686c623aec4b1f1aea4e

      SHA1

      83a7d17a13d94afadf1bf124df50dbec44f34063

      SHA256

      b3d138f8bd167e2a79009485aef0835a8a465226d015dc4bdbda686fba625505

      SHA512

      4784c4a54054f924f2396ee2ff1f6fb01618b95ca903a0dc466424d6c21a75f724b645533f1f6096683432aab5ace3a14c7147127529ed4420668c4eaf8d528b

      Download Submit

    • C:\Windows\SysWOW64\lmesmklv.exe
      Filesize

      512KB

      MD5

      dec5ad49435457d1d2d4ca7d4dd4c7c7

      SHA1

      f2d21d6789739fdb1c83296c770a4d6667857bcb

      SHA256

      caca13d330c1a5614cf9f99f64cc760893b68dacf3d04947a95f69b16278a6ba

      SHA512

      05acf8d8a83dabc93bcf3291b640b12155313a3713eb33b96edf42215b2ae158faf720a81b30cda57fd87bfaee296956bce55d9d700f2b2accf921c30b7fe769

      Download Submit

    • C:\Windows\SysWOW64\nmvifryviw.exe
      Filesize

      512KB

      MD5

      8e59e30d9b9ec70372569e400fa0466f

      SHA1

      2733491013471da3db6234b3cff81720c378d76b

      SHA256

      600876789b113c29443d79adf2a98a535eff04e732c953c7cec57e8b0f925c25

      SHA512

      db2ac6f42cc3d605a0e01a550ee580376166288986cdeb5d7e18c27642dcb6101c58360e4a21dde1924fea50e4451260e5d59805fcd78fef5031a7392e7126ad

      Download Submit

    • C:\Windows\SysWOW64\ozwksogefqcng.exe
      Filesize

      512KB

      MD5

      0f0c96b4b87695abffeead32ba34cb8e

      SHA1

      5aee72e01e79c34c7c021b2da4bc85161546e696

      SHA256

      37082cd01eb736347c100bae76605598a8718ab152eba438dc4920ff33e0924f

      SHA512

      ceb794eb3319ac2d5a6f63376ca75a4a0561613a03ac4aad2dafe6f88806df1ab4cf0b84594faabcf0a359b7c35748021b902764fb94e225af35143816287999

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\ufkzqmucumtvhxq.exe
      Filesize

      512KB

      MD5

      785038154b71bd375cdc626320a21451

      SHA1

      4ca4149e7169121952939c0a9d27808dc6c6f015

      SHA256

      4e86fc352defd70061e524c4a14b628f408040f205806335b534d950d9984596

      SHA512

      9d1f8c3a7a267750a0fdf1ae9850f036c2af4597bb5c1341c1934f3b4d6b241544190f39e98afb8bb0f0b579d9f612f79611fed77f1c249f11be18df05dadec3

      Download Submit

    • memory/2416-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2908-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download