Overview

overview

10

Static

static

5

edacafbdc3...18.exe

windows7-x64

10

edacafbdc3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edacafbdc34678350a21dfc0d5ed812b_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    edacafbdc34678350a21dfc0d5ed812b

  • SHA1

    fb5851ca7dd596c2a6db92bfbe2a286f31c5b856

  • SHA256

    b7883472cbd2ecc4eedea2fcec7acf42c75b1fa581d20e2ad7665ec95e2eed21

  • SHA512

    442aa2d8c9ce66c1963d66a8c5035ea84d78e24e4f5eb38ea6f7621ebcb5effa75ca979191a4983fc14f727c1916ca82c6a645d2e40d3002c7effb17cbb2d073

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6X:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 29 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edacafbdc34678350a21dfc0d5ed812b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\edacafbdc34678350a21dfc0d5ed812b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\SysWOW64\yxkurhjqga.exe
      yxkurhjqga.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Windows\SysWOW64\zgvuzuuz.exe
        C:\Windows\system32\zgvuzuuz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3940
    • C:\Windows\SysWOW64\rjbtwdbvwdargwm.exe
      rjbtwdbvwdargwm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4444
    • C:\Windows\SysWOW64\zgvuzuuz.exe
      zgvuzuuz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:220
    • C:\Windows\SysWOW64\uxqboywvtkowu.exe
      uxqboywvtkowu.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3932
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    24c249e9ea4a09c03bec1b31ffb701d1

    SHA1

    8e9ca5fb2eb9c2a9abb68b3493acb73812668116

    SHA256

    ed7fd4f2df4a86876aab59d71a20dd9aab7ffd5ed6d3ebf83ed2aea991dd760a

    SHA512

    b8eb994bbad4840a4d2be8e3f799cdcf980639235bb9fb3b1eb4e99dc81b93e0166f37e671ca01a3085d894bf4e06a9ad4f1d142eb0bfba050a51c0c248170dd

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    605e70c78ea4dd155e0b952c77bd24df

    SHA1

    7f9e86111e7f0500fe757d8766b7542def7c37db

    SHA256

    e76025ec92cc7a488341acc1792271f23f442e1ed48e90720c295e89fd978691

    SHA512

    fd7d51b89a5350a24cc92de8584d6412abba59f9c9791d33cb7375f131e9b85610eb54920440a91f594700d987f9717a3be184227e42adb2aeaa4fc7f478642a

    Download Submit

  • C:\Program Files\UnblockNew.doc.exe
    Filesize

    512KB

    MD5

    9e3e81789d7c429fb22b4495b0a1e379

    SHA1

    a7ede9ccf8c57e8df33a1e88001e56d2fcd50883

    SHA256

    8a5f1e8195e819272af188bb0fbdbe44c550ffd6903ceb0cf6743202839bb8ce

    SHA512

    62951470c18ef3adb0037b5ac4479303ba5ac4217149ff41d38da661c63649e223b3875c26f4d33222aff9ac29c27c07683ca386121245a4bf2c2b1a271c1f4c

    Download Submit

  • C:\Program Files\UninstallLock.doc.exe
    Filesize

    512KB

    MD5

    1101a284b8f7c8c74bc4d78bd53b5e8a

    SHA1

    ea71b3e193c0b1bea8f39e4492904970a50a2dbb

    SHA256

    89744301cb0dd1c49635f0b5418a02a288f6260393744521d81f5e0e4a3dadc3

    SHA512

    41997160f457e302f10d4816e86055641aa9c8ca5f57e0b4c4dfa4445f120634fc552e3e226cf5406aaa39f41aa2d688cc9fc160f653e5c4417fe5fcfd625c99

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDE80E.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    439B

    MD5

    7fa2c54daf3e811885b2a52b5e95a246

    SHA1

    31b5107a1c0c6e706d3ae04892b5bb3b528d4cf5

    SHA256

    8c7086db9eacf36677d6612cfbc0472cd3614d5ffd7a78970a75e37850147676

    SHA512

    76003194057b9cd31149fe9bcef31d9978e26a8c0eb1e38273cd080f1f40cfa546aa47f14c2b089bc43b174d005add7e50446f9fc8039ab42189412da8ff0947

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    cc5beb6e0b25b240d2724ecd86b975eb

    SHA1

    b37ba24a974e3e28d5ac9d9118a1426b6cb0f378

    SHA256

    6bffe73051112bcbefe9c4b7381d3c8a6930c7a9c64a44186093f0fbc5a346b7

    SHA512

    5c86569b24cda9ea1b8e8b9b8d90850d436e7baccd0c57750cbb99a7081ddd56c34ddc64a4f01db76176c215539a586fc2a015aea2a9dea5703d4325b2cffd92

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    00ac63d5dfbfccc3a1ecd65320670634

    SHA1

    6b5fe31957bbe0d3f3f8cec04f23f96143a2d799

    SHA256

    8c900c518f2a0ceb35b6cfd40771a566138eb1fc9c3be1a26ad6d46d4eb23370

    SHA512

    3041475ac7d7a4835c08502276851abd990429a536d7af85f6fba1a42ce52a8fa84cb10e848356677634156b2b07621b15fab9024c8c659536091faae4d0f705

    Download Submit

  • C:\Windows\SysWOW64\rjbtwdbvwdargwm.exe
    Filesize

    512KB

    MD5

    791cc0b8be81ddd0ed9196d1923ce656

    SHA1

    472b5d3c09dee680043fd24ea9e669a76ce14288

    SHA256

    f733df3bf6b9fae5eda2c0a288d38fd8b5e8b7cd18fbb596cad92c825a1ac836

    SHA512

    0b92d127cfd2375236fe53544fe32f9f5feb22afb83da77b47001f9a3b57c17b54bd2b89822ce941fbe72167e28ec6081a961e3fc4ccd60adb520da12e0f8429

    Download Submit

  • C:\Windows\SysWOW64\uxqboywvtkowu.exe
    Filesize

    512KB

    MD5

    2d251cffa504160c5584630e348ee1ca

    SHA1

    fcd046bfcebbd33f6a11616c46ebbeadf1614f20

    SHA256

    73ad8d9d6b6fd101b1cf0f8f87cf5acc0ebcf777bbd69b3f1cd0cf69ae739aa0

    SHA512

    601d016467aeffe1ed7537ffe5e02d687cbf6670bfa30673b5f9b7872cbbf873f069b2b0312c82a43355e10a904dd32978a63b3b6e7df2841586c4e17d77946e

    Download Submit

  • C:\Windows\SysWOW64\yxkurhjqga.exe
    Filesize

    512KB

    MD5

    104e9f4f7768b450a1340447693ff4c3

    SHA1

    0f12e034b685ea7231f53e8ad444fc3a7d986130

    SHA256

    46edcd8bcefcfc02de540fc74d6ac8367a0db424065abe3394a8183515e0fdd0

    SHA512

    a225d65e517ce40eacb873c2f3f1d9a1b4b350057db4ffbb0ba55d0070ecd62ab40b337428ad9efcc7f9ef3dc2041ac1ad92b713b4a78774d7c8f4898de1427b

    Download Submit

  • C:\Windows\SysWOW64\zgvuzuuz.exe
    Filesize

    512KB

    MD5

    2ba86e54f31d43fbae2dd7359f2b5a04

    SHA1

    f50db2267c180ff863a09c62c819efd81780fe24

    SHA256

    5a1b56dcb891e43243c3119da8746b66c0ca74fe6127bafe6deed235e43720b9

    SHA512

    23055094c4237efdb34a03e30baddcf004df0aef03bd8fb43300769f1796ec6546f5afeac942369f3d63d58e6b13cb43de4f351b4e08b3151b5f67a311db2d5a

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    a31be4ba522d62a3f11d480b149e3f35

    SHA1

    549719b5b1ecacc8d4084f1c0421233a0df0d90c

    SHA256

    f81d8b83369056a8d8e3ab51f8e0323babcf412d3545b33a368fd6795fc4c40b

    SHA512

    66f2836bd56dc3f181d27aba7a5e07c1cc7a067fb05abca6ccf07515c2f3a2c484d493308337b606b4f2ef3d502f178dc433a4f36588e8d7af69170574db11bd

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    c4dc18e9f241734e71fad6ba4c53da61

    SHA1

    5a9bc9b6ec6966d4fb464b891a830497e13294cc

    SHA256

    8452d0b1144743d24e05b502afad9495a6cda2d23508eae9d07996a5bc720c84

    SHA512

    fd9a7599fd18e67e521e611a779c1f3dca567cf1aea200db7c83b7ca1936f2ecf61173b8393b44002ad76587174830097a94870a31886aae4203d58579c7fa78

    Download Submit

  • memory/976-39-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-41-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-40-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-38-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-42-0x00007FFD45230000-0x00007FFD45240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-43-0x00007FFD45230000-0x00007FFD45240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-37-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-375-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-376-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-377-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/976-378-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2436-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download