Overview

overview

10

Static

static

5

fa8cd8394a...18.exe

windows7-x64

10

fa8cd8394a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 14:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    fa8cd8394aa27c9b22fa8bd7d7b5a51c

  • SHA1

    93205ba789a795d333a5beb6441ebd3eadeeae27

  • SHA256

    c3762ac4dcd225bb4afbd6f12a41877065cb23f0e10cb1eef6ffdaa7c2eb620e

  • SHA512

    8a3b47b9e58f36eacef4c91f24b47a2d973a070bd5196de35f755c4840781ac36606e52504a2c30d0256f032abeb8180aa1fe915cf03368982921616389f0126

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6r:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Windows\SysWOW64\lasqsudhii.exe
      lasqsudhii.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\qzfcdnfi.exe
        C:\Windows\system32\qzfcdnfi.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2844
    • C:\Windows\SysWOW64\lrxqtygoskyrrae.exe
      lrxqtygoskyrrae.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2700
    • C:\Windows\SysWOW64\qzfcdnfi.exe
      qzfcdnfi.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2824
    • C:\Windows\SysWOW64\haevpyrmzyxtf.exe
      haevpyrmzyxtf.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2136
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2472

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Hide Artifacts

          2
          T1564

          Hidden Files and Directories

          2
          T1564.001

          Impair Defenses

          2
          T1562

          Disable or Modify Tools

          2
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
            Filesize

            512KB

            MD5

            c91e8d52bb335c84fe3c6c3aef3f9e89

            SHA1

            b11f71f73510610c0bd8db5aee088e2d75b188f1

            SHA256

            73fa3bced4f3a7627ad39f507ae036475e4a733e4f61676c828fa60db8b0281f

            SHA512

            cc485d2c09c45d556a36ad7804c4aad1575986625cf1227309f0ad1503f89c69c39583a2684856dc1368eaf291af92b7f1fb24b536e903e479efdfb9756dda18

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            512KB

            MD5

            4c4eb436d47a55f8f31c0a6a429781e2

            SHA1

            ad974637dec4e20ce21ea7c066f0bb99f7155c7f

            SHA256

            0ff2a37e7e6a2f4f8dd57ca84426f875d627ed536218824b3f9f71e796ccbd9d

            SHA512

            c94eca5fbb22ddeba5dd6b23cfe92d5cdfca7e0eeca8a99a25f35f87df85132453a98f86913e9dba72c8494e8af87c60611652f2e83f81067cad6bf80dcdc734

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            19KB

            MD5

            b277094f882183f7968aab2027a854fb

            SHA1

            d1ce56b3a81cc3ab6e5a953211b5b022ed3022d5

            SHA256

            60d81b7a34e290e20fd9e63b37f05e3ef0c915a7bb9c84fc0802ac32ee8047d9

            SHA512

            f73afd5ca5b2eec86dd4efd4cbc6feb683f4c391268f3c045ef50e52cef8f6172e8ad4d7500c72e8e0dd1f2f2b46260e93c4dcb52840ca060047f7d25f704c19

            Download Submit

          • C:\Windows\SysWOW64\haevpyrmzyxtf.exe
            Filesize

            512KB

            MD5

            172c513b7a5d6139d2cdf2cfe04c3f68

            SHA1

            afd7df12d50438ea12f4e549329a621a57a814aa

            SHA256

            b2764df35b9721955500b20f3d89774a8fcb03865468adcb975cea609a9ac5dc

            SHA512

            d6bf74f3768c1cdc4e8c313c043f01530310b4a58ea6a6cea7d720e39922d599d4b3806f95164574421566a941e87e2732059c67348e9baa82f3edd5303b202e

            Download Submit

          • C:\Windows\SysWOW64\lrxqtygoskyrrae.exe
            Filesize

            512KB

            MD5

            3b6f914be64b52e502e6dc2b9c3238cb

            SHA1

            454e41e85859f07e86b0667b5602aeaccaea78e8

            SHA256

            5f63d398126e55cfd4c8b2b98a60e827b58cdfb8b70b9844ba217a01b32ef820

            SHA512

            9832864f59f97e89fab253cde5bf93db2d779e3f10a640e0d04397532c8fbc232f6a0ffc2cb3457814acd5c9f4ecb878dbdc54fdd9c3193c54768f873e42c2e8

            Download Submit

          • C:\Windows\SysWOW64\qzfcdnfi.exe
            Filesize

            512KB

            MD5

            3154f49ac025aaf86e8183470edb47d1

            SHA1

            a7576be4e46f4420ad1b833f010f686e61e29fb5

            SHA256

            89a03e975b9b5c68fab6cbae3a439be0750134cc914c2c65b0faf89f125b8762

            SHA512

            011b87b5967c158244a9d9f703ff102e43ba55bc724d09c0752e89568469f8107518f49a74794144303a98fe29ca14b796cf1bde6d72859fcd3a2036ee617535

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\lasqsudhii.exe
            Filesize

            512KB

            MD5

            467e4a8aa9a5ffa2df87649d04429739

            SHA1

            efaf4bce6ead7b34d4325a115ee213a71203d093

            SHA256

            eca60811116b8e99d4ce4a09773bd4bd7c8241c739e8c8329d8f626baa16bf86

            SHA512

            b057e7521fbb4a802d6c92fedf330dc4dd2dc4332466a76bd48df3a90c9c35847c0c09bdc8e49460cb5ac21bba4882f3a3feced880a6f2575c64b7863de6e267

            Download Submit

          • memory/376-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

            Download

          • memory/2652-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2652-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download