Overview

overview

10

Static

static

5

fd02aec39b...18.exe

windows7-x64

10

fd02aec39b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd02aec39b72775c357694ef1fca80b4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    fd02aec39b72775c357694ef1fca80b4

  • SHA1

    a44d6204399eee243172bde55635109c064894ac

  • SHA256

    38f20f54668afa01a21970299cd1d4d0e5bd3877f540c9d81acf966d22c101f4

  • SHA512

    af9e35a2e96cd3f1b94c72af4c68e5c4ad5b245ae9c07ba05249e1de315590284015dc9e3c1ff97299963556906ea62642cf3dc3dc52832af9c58a6f28a1676c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6k:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5t

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd02aec39b72775c357694ef1fca80b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd02aec39b72775c357694ef1fca80b4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\SysWOW64\jrqoazqpan.exe
      jrqoazqpan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Windows\SysWOW64\bcjnmhlw.exe
        C:\Windows\system32\bcjnmhlw.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1672
    • C:\Windows\SysWOW64\mljjdujsbkkbgzd.exe
      mljjdujsbkkbgzd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3612
    • C:\Windows\SysWOW64\bcjnmhlw.exe
      bcjnmhlw.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2992
    • C:\Windows\SysWOW64\gdikmosclnsuv.exe
      gdikmosclnsuv.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3008
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    d8051f7bb9a2983b73248e857a7c8821

    SHA1

    ebbb6425de9a38333e8e6d3e3a40342b212c3f63

    SHA256

    3111193d3525a1c172a4c5f78dfb0c5c78477574e40dc3dc4c3e2a3fcca9580b

    SHA512

    5e48434fbdf90ab828a164b98b0ff43e75066bac20df150feb1b5b3e4e4c48cbd08f68e22c9c4eda7e79772f2c89fba5ab5284e4caae5ce282b1d1fe683bcd8e

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    678fde9d93b11e0dea4c25e62e6a3977

    SHA1

    589cc3c1897d2fd4744f00d6bd02fa223bb7e968

    SHA256

    d5d3b27baae6517df588f071b40f8923aa1b1134976662a2552915425c6fd0fa

    SHA512

    08a67b697c1664af2edad651a32d1eaf5c475b70f607a551fc94db75cd9c13d9aba720378b781f9c033d149db6dfc128de235636f0e136dccfb060767ea35c02

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDC802.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    332B

    MD5

    131461af2646bef83ccb49b20f30252c

    SHA1

    2379935a84f22942adb1da8c21b352c6fdb7bea6

    SHA256

    9b19f22d4284133a526d221cc82008bfc56d0e8ae80dfda579c6e1488feb1bab

    SHA512

    68ef7e2be6cc6a215550fbd2c9286e8150ebc33f6be1d113234ad739c0c5280589bfc287168f1696e352095b3488a10dd599b380238ac2033fbc17f230d86e78

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    e8d10d05e68666d6b409698946b2aab9

    SHA1

    6595d75065104cd12b6c1ae72c41ff461100e5c8

    SHA256

    9ddcc4c6cd9e29b19311c9aebeaa857fef10010bbff4f10b5691944e0ac38a46

    SHA512

    8298a068eb9c8c521c95ab2f25679137950f56e12292e59bf7e38c34ea0bae0a1011ad3a658143b5bc6e37f0f5ceb6db42fccb2cfecd79a77569348fb125edf7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    c4e395eb14a7f0a369cb790eaea61c37

    SHA1

    0a0cb8d4202b5a13248f397b98eee0ba26bd59fc

    SHA256

    af461defe4d4b1ce55b6889377373da58691c0c43af154d3ca486785a8d74630

    SHA512

    f5ac5eda9953ba5bf6c2cd96d279d64c1b5e212da6c7f1802bc9820c7501f08b5c2e11a53299cb17e33efd3f72b8c5bc2b282352d47159dd887c4cfdb5f791ec

    Download Submit

  • C:\Users\Admin\Downloads\WriteGroup.doc.exe
    Filesize

    512KB

    MD5

    c66dc5c82bdb3a1586c63838e843e3b1

    SHA1

    362222bfdf031a2b2b64b7b4d6d396672e6a50ab

    SHA256

    42bbff2ebcab93174be1fa3f9fd965fcc17194ae493dbd6ffc2e5ef5d5b57a58

    SHA512

    429f6c23f57c8a2d0b8156cad5171dabc9f13695dda479a778be3c3a2f89071c7cdcf8e0968f30f1d84e48e22c7b5c41aa476cdf002097dff3cb09864652f5d7

    Download Submit

  • C:\Windows\SysWOW64\bcjnmhlw.exe
    Filesize

    512KB

    MD5

    f8b74578dd90c19b7c372f79c4ed91ce

    SHA1

    3565ef42f879333d8f1d5150e0c7602fa89dea21

    SHA256

    3cde38c9ed98fbc59fb669c71cb86226d96e62e557178fe57b7a277ac2e40845

    SHA512

    668c3a8028d307a4ff1b038989e90773220678fa19dca7402f44ab02923a45452ca101bdfffc719728cd0f9227b8a6afbbe4ffcbb77a764a701bd3216913d2ef

    Download Submit

  • C:\Windows\SysWOW64\gdikmosclnsuv.exe
    Filesize

    512KB

    MD5

    7235561e620ac27d7f62735c1d490bb3

    SHA1

    a86b40872dcb7fabde0f40fd568053971b194592

    SHA256

    a916b8da74b13a6b52f3fbda707350ae9d1bec9b14acb1b523ac963b56380e4e

    SHA512

    5002b095a186fe452635526ca451efe33ac3ad85466a3012c901f9c4de131b0a828e58f64f40d4504b68f4bc77f89ea59babb76811fb6db23c160ba594eaf010

    Download Submit

  • C:\Windows\SysWOW64\jrqoazqpan.exe
    Filesize

    512KB

    MD5

    36548402567e9dc78d16fe6a0aa708bf

    SHA1

    0388351414f17a17c4c66b4553395762b87a6bbe

    SHA256

    9c298580989e60bfb4624192f87dfcfc3af3c9809575d2f5f4dd7a9d35431443

    SHA512

    d9051b0fa4c70c6cea457b9ba2eb976484a35cbd7f44fd9cce92864224d319846f951a713739b4bf57e3ec24d2ead2243b31807e8896e64fa589eb38b599823e

    Download Submit

  • C:\Windows\SysWOW64\mljjdujsbkkbgzd.exe
    Filesize

    512KB

    MD5

    a31050cef0372b543353d3ed92c36c08

    SHA1

    741333d6496b62827e8ae7772df549548f3fbd10

    SHA256

    054d74eae46938aecbbff28612b92f1189950bf0f806b71110986b59cade5cc4

    SHA512

    bb4e3875a512cb9d19a5e113c872166358db14736aa45268043c947612593dc684eaa833c05e0c0a8f0ae5f6fe8a27af599d2bed5c271d2514803e9b2443c177

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    e768698d07b6720e93ab42b532c3da5e

    SHA1

    86eda01dbc50878b7795f552cd479f9315768ea4

    SHA256

    fccc839d59e49ed65f2a6214dfe1d8d8ea499a80757e10fef7bb3f416d34f5ec

    SHA512

    871a726b069434dd7714c28e2040028a134fb1259928ac70ed55b4d905e7adc9848171ca4e5e43c2c58128fb088d0467ff987da3ccacc393d6c7e2a8a383d4b8

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    23bfee3b975d565d9d9124fc1340a75f

    SHA1

    f0f5404bdf02a40d2482e10762a1b557b2a16f86

    SHA256

    1619b2d80d2a93780305dbc8e731acb912ae5f594d4c92d714a519911ff79484

    SHA512

    c3e51d296e9e2e622c8a53e95d765e7f04a758d54a30711a35eba444de69b204c71d3c7f357fdb3c4bdc9bfec2166ac3107ce29d2705c30f07d7275f5fa5f997

    Download Submit

  • memory/4596-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4772-37-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-38-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-36-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-39-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-41-0x00007FF84A1F0000-0x00007FF84A200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-43-0x00007FF84A1F0000-0x00007FF84A200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-35-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-606-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-608-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-607-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-605-0x00007FF84C250000-0x00007FF84C260000-memory.dmp

    Filesize

    64KB

    Download