Overview

overview

10

Static

static

5

edacafbdc3...18.exe

windows7-x64

10

edacafbdc3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edacafbdc34678350a21dfc0d5ed812b_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    edacafbdc34678350a21dfc0d5ed812b

  • SHA1

    fb5851ca7dd596c2a6db92bfbe2a286f31c5b856

  • SHA256

    b7883472cbd2ecc4eedea2fcec7acf42c75b1fa581d20e2ad7665ec95e2eed21

  • SHA512

    442aa2d8c9ce66c1963d66a8c5035ea84d78e24e4f5eb38ea6f7621ebcb5effa75ca979191a4983fc14f727c1916ca82c6a645d2e40d3002c7effb17cbb2d073

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6X:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\edacafbdc34678350a21dfc0d5ed812b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\edacafbdc34678350a21dfc0d5ed812b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\SysWOW64\aydwlvngvi.exe
      aydwlvngvi.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\SysWOW64\wbjodwpy.exe
        C:\Windows\system32\wbjodwpy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2872
    • C:\Windows\SysWOW64\hhorgligxadkmtd.exe
      hhorgligxadkmtd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:268
    • C:\Windows\SysWOW64\wbjodwpy.exe
      wbjodwpy.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:2740
    • C:\Windows\SysWOW64\wdvyfpmfwccyj.exe
      wdvyfpmfwccyj.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2792
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1768
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1724
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x1e8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1180

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    7
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      82e546d2853f88c7b4f07c4d5ad13dc7

      SHA1

      0cd2eaa176debc2c34c942bcbbc42b01788c2afc

      SHA256

      2c3631d2733f76ab954bcabb372513d6763499152154af2f313a72edc5830d73

      SHA512

      75abbe6be7be665a4104857a8a6c2c36fa76eb3a780823a5d26ea0b12ffe5df0850008f93ac51b772f5f26581da56e4dfb828e2c3c54402ed88358473f11053f

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      cd1d13301880daa364e1240594a699c4

      SHA1

      b5641c0f81c474ccd275f9559c1f7f3e71a46f32

      SHA256

      4c2e245e44de2f24e02d3c18aad129a2ec7c0865687abe9500b2396ee6cd6a7a

      SHA512

      430644d9a1ef47a502a8aeb246bea5fff7e2a0a0bc084dc965e041e20b45fd2f9dce971c6d468ae77063f8add023f4a08647b7b87dc8f30bccc0cf491123c0b1

      Download Submit

    • C:\Windows\SysWOW64\wbjodwpy.exe
      Filesize

      512KB

      MD5

      12a1d8b75b5b692b1cb2b705e99dc1d6

      SHA1

      75da0084bc17898d1d542e6350cdfe8ff3d498bc

      SHA256

      d6645e2ba01fc8af99fab00329be5795e6517a365a847b7f3742ac7d92cc3f7c

      SHA512

      4b40ff1a2bb5e253454572406ace79defe49021f4fde02985ca6a01a4f7f3394fb2ec714d14a63552bdb075cddd038cdeba6abb67d0692644bcde1cbfaf5b14b

      Download Submit

    • C:\Windows\SysWOW64\wdvyfpmfwccyj.exe
      Filesize

      512KB

      MD5

      7524f0aab889ddddb3ac8b3683a1700e

      SHA1

      d8fd143932792e3f562263d36160e1daf52b2c9d

      SHA256

      828574021987b9430b0d8f48c0890714f388193bf6a1d933d482edd7616265a9

      SHA512

      ee48f7b5ccc511be436b80e6e800ee39a0474ed32eaf199595a17bb78d15f4b0e98baaa3864e357a53f3d3243f799772e678f59847ce4218bca18ed7c612a205

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\aydwlvngvi.exe
      Filesize

      512KB

      MD5

      03acc241436fc6eeb0b0a331ad38b35f

      SHA1

      18fb7421c78a57122b6c06c790bc1fe479e62f44

      SHA256

      032384ab40956cf76ba36d4949a5f653006c8c588843f171469362702e1ddad3

      SHA512

      1fca0c3bf57704fec0979e03af263624da60d85bbe874cd45bb7dcf0af00bec9bebf154a238c4cf3c913235e1bc2896553ff444b9092197adf457e4bdd291916

      Download Submit

    • \Windows\SysWOW64\hhorgligxadkmtd.exe
      Filesize

      512KB

      MD5

      acb34b28934e98813b8f96da2f5de76d

      SHA1

      bce532e5a8e2f7997d51f29cb248c4beeeff4361

      SHA256

      f463e0cceb3db4d18c05edea4222066e8d5fe3f93e60bd2696d648585abbfe3a

      SHA512

      571f03120796059cc51f5a9d9e2a45ac030e6266d73df06e181820b1cba1e7d31091986a9d86ec09aa1edd637f18b075c7d43ed2a434c5441acd16ab5a265bb3

      Download Submit

    • memory/1480-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1724-84-0x0000000002660000-0x0000000002670000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2756-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download