Overview

overview

10

Static

static

5

f557e23fba...18.exe

windows7-x64

10

f557e23fba...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 05:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    f557e23fbaea06dd8d1346e9860dc6b4

  • SHA1

    84a168ee2c1e2666cd875f0665b4c0129ba14182

  • SHA256

    5fd71f2dbaa454af5af5f6153ce00832188b2b559092309c9e790655634c4eeb

  • SHA512

    ae74292424ea93dd0a50bb99158b114c6b1e3b167704e1b965043bdfa0309a444d35d42d258fc9d74755738b2241f9cae76a6a605280c98f3eeff33260f5fe3d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\SysWOW64\kijjqfepho.exe
      kijjqfepho.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\leplqfov.exe
        C:\Windows\system32\leplqfov.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:1636
    • C:\Windows\SysWOW64\ajmpfzkhkebaioe.exe
      ajmpfzkhkebaioe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2968
    • C:\Windows\SysWOW64\leplqfov.exe
      leplqfov.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2704
    • C:\Windows\SysWOW64\cbouczlxumijl.exe
      cbouczlxumijl.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2696
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1524
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    7
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      51eaf19314a72d5ff538643dbda6af20

      SHA1

      28d5cdcd4b0c70d5f9269fe5a08bcfaa00299bcb

      SHA256

      4260eda70c568ee1f54e36caecdb3db60dd628a432aa560bb8c63e32d80773b8

      SHA512

      57dd0785b955f9e901b3ba0d062a7824b0aa3cbc5f6026cb9e4569b057f81d38f560c46755e46eb339e7c9ebef018a7cdccd5095504c6e248bd9378b00a70dde

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      072f82ba1e81883c91d1eb00b0b47d4b

      SHA1

      cc3875a1b275fa13e68ab29196be4beeef6d19b0

      SHA256

      e6aeb1b175188a5b0fbd14c3c093d7ee25c0ccc59554adf5a12fb32d76288a90

      SHA512

      70776b9f17f99474d107f600792f0d8647e347e3c4f3c8857ca5dce903d603c913f3957831cdc75bd00be7eaecae87f6e27f8c32e321d48a7ec33456e5d33104

      Download Submit

    • C:\Users\Admin\Music\UnpublishBlock.doc.exe
      Filesize

      512KB

      MD5

      b8431873f15b4bef22c41b36606aab77

      SHA1

      0e7cf95400ef8ed4eaed0d5191ddd3f4beb27beb

      SHA256

      74f35ad768ed54d30338a2b1b95b338ad80b14e3cbee78ff6c39f85b7ed036f2

      SHA512

      4721e9228e7a245efc0a1d530ef06b235ef441ef9a17e66351170d42cc79408872e9fbf310f46462fb8ff9e822ee766af0e4f3c90383556516cb1449d4696556

      Download Submit

    • C:\Windows\SysWOW64\ajmpfzkhkebaioe.exe
      Filesize

      512KB

      MD5

      142b16b0cc9e4b98892a43d828e4fa33

      SHA1

      42b318ddec152faa517918dc65879669ca3c075f

      SHA256

      adba48a725426a10fba27843a3a0690955e3b759c628505cd0809df0d8f5207d

      SHA512

      20b37e2067718f54597318bca0e1abac0b1b0ede444939f43711e2918158f2d9adf7845aed48a4f156f33af4296c6f9169252e17bdfac7243bbb22ead085ace3

      Download Submit

    • C:\Windows\SysWOW64\cbouczlxumijl.exe
      Filesize

      512KB

      MD5

      7b750f707d9561c93d4971ce5427422d

      SHA1

      ecc4453301bcf0fea5d0afa4de6ef8a70317ef92

      SHA256

      2a5431e92e15283791ce17fc303475ee1f6eb0c0757561384ea39355a26b4604

      SHA512

      faa035971fb74e031bd5bfaca30075bc1db833ae42a92256a79dcb910ad72f373c092ec74e327cc9360e6dc60f09bb80369a619d4d263ff9a5f9ec660a59e0f9

      Download Submit

    • C:\Windows\SysWOW64\kijjqfepho.exe
      Filesize

      512KB

      MD5

      2086c873b139b9f3f46353a5b7b5f1d1

      SHA1

      fe32956ed3b1beb173bc82de2586967bca75fb9c

      SHA256

      80c97d40ac61d7986cc0f1d1407c73d1ed0f8136de9d5b033687cd7389347a96

      SHA512

      37be4954488f95057c513ba7f4158ad966f147b74d91c8d9d9eb1cc62cfcf1097cc3df90f7b6e66fd97adee705ec03236de61040608683e608ddc5451507d9e6

      Download Submit

    • C:\Windows\SysWOW64\leplqfov.exe
      Filesize

      512KB

      MD5

      7d849c26e20b72f954e2612e81221062

      SHA1

      317e61d3a5ed62f4c8db9f545bec1e1bd8d067dd

      SHA256

      ddcc973701e2a59288dc6f5b5ca21b914353153dd9e15ccd099880993d3f092f

      SHA512

      602f1f4ca688d85eb760ff2753d6f4179c9ca8af7123f14463d08fc3570c3e7e877303b251dddb933225641fd590dea92769081c011111a43250579f903be744

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • memory/1304-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2496-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2776-94-0x0000000003D20000-0x0000000003D30000-memory.dmp

      Filesize

      64KB

      Download