Overview

overview

10

Static

static

5

fe4ad96af3...18.exe

windows7-x64

10

fe4ad96af3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 10:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    fe4ad96af33b36fba59eb54dff86b9e1_JaffaCakes118.exe

  • Size

    255KB

  • MD5

    fe4ad96af33b36fba59eb54dff86b9e1

  • SHA1

    16d89665b7bd064efc717c6e1f8782634dfddcf1

  • SHA256

    f1a2ba0ac8c86fdd29b7125e99a97bb64ae8b7a9272524547f21dec46760979e

  • SHA512

    0117b636cb5c20b212cb1a96f014aefbfebff6a89c97ae0b2e9558be552cf85409df8b03b4d4b337857a89345cf90caccc6f8fcbc190f5c343faca839706200d

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJR:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIc

Score
10/10
discoveryevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 56 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe4ad96af33b36fba59eb54dff86b9e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe4ad96af33b36fba59eb54dff86b9e1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\kajnxqsjur.exe
      kajnxqsjur.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\vpdwyznl.exe
        C:\Windows\system32\vpdwyznl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2800
    • C:\Windows\SysWOW64\vphrsxsuowedjre.exe
      vphrsxsuowedjre.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1252
    • C:\Windows\SysWOW64\vpdwyznl.exe
      vpdwyznl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2336
    • C:\Windows\SysWOW64\dbcspetfjajau.exe
      dbcspetfjajau.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1960
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:596

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Hide Artifacts

          2
          T1564

          Hidden Files and Directories

          2
          T1564.001

          Impair Defenses

          2
          T1562

          Disable or Modify Tools

          2
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
            Filesize

            255KB

            MD5

            49655eecd42d1d71a4b752f62b5970ac

            SHA1

            65844bbac5156c080171a61636a5cb0d0cd35a90

            SHA256

            335d6e2fc90dd064ab393949fbdf38a8dae77f84ee3d409e5fea69649eefdb2a

            SHA512

            0e42162cd4f3c062746a5c067a7025d40545561716c803f8670797363c061f7bcb057c35c7f0a02b4c623734a7b64f0e9096401299f7de4e21b55e4a30174377

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            255KB

            MD5

            4a9b496afe87c82fe0a99887f1af6082

            SHA1

            483fd033bee881b1d6e157cac00dab9500fd823b

            SHA256

            8d268a269b55e594d707a70cead617da6fb269041092858b920828aa52d27d55

            SHA512

            76f884dd617b33cf6253daf4d2877c4692ac50ada88768f01629cfb6d6801d9a9b6cf2d4814863f1f0f42e88b9d60a9147999c5f498b521f0cc675f895b3a988

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            19KB

            MD5

            44ba8417696d7b7b3a0d275ed59b3939

            SHA1

            a3f7e8e68fb4fbdbd54bca5e31b318e992c21e14

            SHA256

            a1d89e3bbd77971cd7641fd589617d16398eb1d5ccdf7f2cb83ae9874dad0dd4

            SHA512

            76b9983bc6c221b9ec7607ec1ab0a2a22faa8bab8fdd8facec37118f25516b4731434f2809084fcc0cad5843a679f73928acf21eb769a6e58e357afed133bf24

            Download Submit

          • C:\Users\Admin\Documents\CompressSend.doc.exe
            Filesize

            255KB

            MD5

            99aed21d7efe514dbcea9ff2b28d2e74

            SHA1

            4664fcaf71195c1f4eb25bdf8803ee53c5527595

            SHA256

            0bead6005347460bec62cce5677c6fac776030511588c1f807eb49102a34a7f7

            SHA512

            af7d14895b8f8feffdd496076bda9913dc31327c6b837668f8eb7aae5d0be1318f186e22340bd280d96abe122529fc4dfa7ac6ac60293d431e53af42253c1fae

            Download Submit

          • C:\Users\Admin\Documents\MergeExport.doc.exe
            Filesize

            255KB

            MD5

            fb4f1bf3836f16dd29f5d4dd72721aa6

            SHA1

            cefd944c5be4775e42f9794996f36eda1b34e654

            SHA256

            de88a952f02a5b4e85f65c7aed79da9ec984a9d8e87fd8c47567a70e8a74fe96

            SHA512

            45245bbe0165c9525e263a887a42fb0e36b6e09153a34a2e10c8698f84863a5b8fa67eff704988239f4233b41e3150bcf1dc97f921871ed3f3bdc0bbd170cb59

            Download Submit

          • C:\Windows\SysWOW64\dbcspetfjajau.exe
            Filesize

            255KB

            MD5

            20f7a41816fdea3789c1ac8a1150fe91

            SHA1

            74b83e9258a2eecaeb993e454c12998067d2dcb4

            SHA256

            cb2d4b8c42669aac2cb184335a386b1e20c6df1190af0a4d2435861afa14a60c

            SHA512

            0de8c805ae183d23175a49773ff5df94de622b7c7f2838457e2c8b29675a3cad1357b554c75ea67db92b97b53a518f06d1c31f1c4f84ce8deeda283e013b0a45

            Download Submit

          • C:\Windows\SysWOW64\vpdwyznl.exe
            Filesize

            255KB

            MD5

            d03a44d7631a110ff7efa930e29cc8e8

            SHA1

            9fcab0c31b16e8194b0b1e29273448ea38473a25

            SHA256

            48bc43fee2cc8d1e64aaffe7efe6de60eb4162d51e4e0e495d06a04fddefb678

            SHA512

            7aa1e9291ea00dc393d09bbb2d091307236bc6e45f42edd02fbe1541363744b6e1d0f0bd2d3b8de805004ba0f58f75ead4dd3ac9b23e35106ff0da958a4451ca

            Download Submit

          • C:\Windows\SysWOW64\vphrsxsuowedjre.exe
            Filesize

            255KB

            MD5

            67950b7f62759639cb2e84da005ecee8

            SHA1

            3ed1bcde5080776cdd2a574c592ee35a25abb5d5

            SHA256

            383dc98c9f3e85282ab549a4a69a7a1b31cb428a45a3128310584949d30e832a

            SHA512

            9e0a2c96812031718718991b2b153e103f8454454b37d7e7ac84be45bb9492b3ec0d73a283c3f9f9ae9aab2a5ff44afe57ba7b9b426563d27f731cb576936d83

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\kajnxqsjur.exe
            Filesize

            255KB

            MD5

            d924d72a8ed9f7bf2f2b6fabeb64760c

            SHA1

            8df3f86772a1e8f631968777482989b44bc6b5fe

            SHA256

            12ac53fb2a53b47ce450d629d5f77998e5319e44840f1c0a73b9a4da6ac0a69a

            SHA512

            462f635ed5a1812aa762315b5d3671c21e34761b1f6e483f791660da706838975b74e0e63bb395829a193ddbb6a0bf86077ca98bb817ee464d0960323ca128e0

            Download Submit

          • memory/1252-36-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-86-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-148-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-151-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-96-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-154-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-105-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-157-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-90-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-108-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-136-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-124-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-121-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-118-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-114-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1252-111-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1800-47-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1800-19-0x0000000002F10000-0x0000000002FB0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1800-33-0x0000000002F10000-0x0000000002FB0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1800-0-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-106-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-92-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-158-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-119-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-37-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-155-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-152-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-98-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-109-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-125-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-149-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-87-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-112-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-122-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-137-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1960-115-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2336-97-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2336-88-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2336-91-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2336-100-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-110-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-153-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-120-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-123-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-95-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-117-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-156-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-104-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-85-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-113-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-131-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-89-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-107-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-147-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-150-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2524-34-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2628-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2628-146-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2800-45-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2800-99-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2800-93-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2800-102-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2800-94-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download