Overview

overview

10

Static

static

5

f65eb219b3...18.exe

windows7-x64

10

f65eb219b3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 16:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    f65eb219b3f600691f3d107086f69a64

  • SHA1

    9e1df9b4b85cd00867a617e8667fd963d37588af

  • SHA256

    38f07c6c853142e95b203761f4eaf66f97b032106466b4269c094fe0bffbdc26

  • SHA512

    f17a4c862f4cb148d9c9765778200943d918910d0e98102c955c0cb1c4f991ed03e80b9fdc2dbce07c729ba87c41716543b20bd9978307406bb8e442d7687bea

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6r:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\iuagwceyik.exe
      iuagwceyik.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\ewkelwnn.exe
        C:\Windows\system32\ewkelwnn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2508
    • C:\Windows\SysWOW64\hggriajslgffykc.exe
      hggriajslgffykc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:736
    • C:\Windows\SysWOW64\ewkelwnn.exe
      ewkelwnn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2528
    • C:\Windows\SysWOW64\mvutfgmbjgkiz.exe
      mvutfgmbjgkiz.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2844
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1748
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1744

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Hide Artifacts

          2
          T1564

          Hidden Files and Directories

          2
          T1564.001

          Impair Defenses

          2
          T1562

          Disable or Modify Tools

          2
          T1562.001

          Modify Registry

          7
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
            Filesize

            512KB

            MD5

            e75c43463477b888e2c370c45b8a4ec6

            SHA1

            3ab3eb43adb3bd7d78dca31153dfd8f071a63f9c

            SHA256

            f3053e671a6a9b4d994a90685517f930bbc1b3c50d17c7ef5281c007b0218fb6

            SHA512

            16feba2a6095fcc47e497e6253909470ccd9938599fe58df8693eaf8a4f828664972c1471ef79f33a520e7e9da3c904d4f2a2c68a4f841fb6feb11eb54475e14

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            512KB

            MD5

            19bc853c91d70d64fd8c7746b0722bc6

            SHA1

            df4ba6d23fc94226a195838b8901f3199f542cbc

            SHA256

            871878186963d6df301dc35cb1aa10aeedb1dc37f1ec20d12eefa96bc242ede6

            SHA512

            3cb31a021cfdca277bbfbd56ddc2135ce5abbae0af8cfadf527efffa40fb4dd08cb229933f00d98da0df8466c3ee70de9628c7114b8e2893077ed4bff503c79e

            Download Submit

          • C:\Users\Admin\Documents\ConfirmClose.doc.exe
            Filesize

            512KB

            MD5

            b834adc4e830f668155fce5b87a85748

            SHA1

            c6765ec93e7cf289b40b3bdde546b64c8bcbc76b

            SHA256

            10cd02bd20755394d493ff72d0ed1a119c56580630c6550ccec128c28856bca7

            SHA512

            b480b357c8fd3af37384feeab522e149b6b8486f227dd224b4c11b7bdad873f408594b1bdbeb7e6af98961013e5d7848a683cd53d2bde20e60dd85d9443a07a0

            Download Submit

          • C:\Users\Admin\Documents\DismountTest.doc.exe
            Filesize

            512KB

            MD5

            e2bbc6573f4accf819809bb95a2f88fb

            SHA1

            e87dc725949a0ad21d56d17723ae03976a0beb00

            SHA256

            59112a738c113d2c9f60b2cd485ff8347bec3027f78d8e8455d8c6329facba62

            SHA512

            b2533d323c2d1330890755dc0dbcf5f860852458b77fa633fbef802b7fb23445637fe301411a313893f6ff0e50fd015fd0a721f85f312335cf888f2f35d0e21f

            Download Submit

          • C:\Windows\SysWOW64\hggriajslgffykc.exe
            Filesize

            512KB

            MD5

            88bd768952ea3b5df6c81b137abeb8bd

            SHA1

            1541e5a4e73843115529b5abbf0141ae0aa52c2d

            SHA256

            f942845203f340e2fcba6b9d35ef37f3a9b16bd897b9e767fe18497085e56517

            SHA512

            500e0190a3442480bab89b821e69c0e6bb85eaf701a58830ccfdbb7f4027143ab2930af787a10294fa3d7c2c68f2689344d6918d1f42ff14995011b190dc2a90

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\ewkelwnn.exe
            Filesize

            512KB

            MD5

            628dd770ff306a96033f1a70b6a930c3

            SHA1

            a9b5366ebc46b79b89da084fddebd4c2411a183a

            SHA256

            b7ceff6400dbb8a13777ad0f244bd1ffdb4add19b218d25b77da5e1c37e87085

            SHA512

            eafbc6f7984e89473687504b944973f1f02d9bacdf9ef0aae7b1a48cd29ec492da0d90927731c7e93e59fc8d4195892ca34cefaacc875c5445a2ca163f2b24cf

            Download Submit

          • \Windows\SysWOW64\iuagwceyik.exe
            Filesize

            512KB

            MD5

            1c5ae8f209b1c71ea5426e23713fa52c

            SHA1

            5be37a0d530d23b2f48364fd0f77b63d0c160e5f

            SHA256

            2b39b78d233a377a25f1473d7094c32b76d3d40e1b7e0d9d2e49239466e78ba7

            SHA512

            a2d6d416845e8ec4ae7265f08a1ff32b4acb95b7fedc7039fb479f36e2761c88d2401e146860b46431a1c93fe325f2776d06132c5a9a4a4444338d9b305e34a8

            Download Submit

          • \Windows\SysWOW64\mvutfgmbjgkiz.exe
            Filesize

            512KB

            MD5

            a74fc07d1f1e5d47db2c9c4df7232702

            SHA1

            efe4af55dfdfdc8689f3ff1d390c9eecbbc837a6

            SHA256

            7cc34c61b6a597f8adabb156231cb11fec030035c50507d25450f0149d3edf94

            SHA512

            506990de0c1230e65e8d40e3b10a252f856924e9b13948b9b7f26657203acdf8e8897e647e0b23ca2718dab1afff64632be6533131487fad0afebab0ab46cadf

            Download Submit

          • memory/1744-92-0x0000000003690000-0x00000000036A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2640-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

            Download

          • memory/3064-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download