Overview

overview

10

Static

static

5

2ce90a7cce...18.exe

windows7-x64

10

2ce90a7cce...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 07:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe

  • Size

    255KB

  • MD5

    2ce90a7ccef295dffd02af7eac4ca4a7

  • SHA1

    f389d52e3c9fc0e6c4ae0c2746e67b8aa17f97cd

  • SHA256

    451dc58e2c48916c3929d5cc707a195031af65e4c070e0f1e6cde8038fd3cd84

  • SHA512

    99c14e7e54316a5bf0bd8f1ba21c4280061755ccf0f00815c936d1ac22daa023f7297d54fcc6e94b1d855aa3f383ec900f4427032092fca7dc40e9f49aa745e1

  • SSDEEP

    6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6A:Plf5j6zCNa0xeE3mV

Score
10/10
discoveryevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 56 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\SysWOW64\ekssfhmgew.exe
      ekssfhmgew.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\kdakqfny.exe
        C:\Windows\system32\kdakqfny.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2564
    • C:\Windows\SysWOW64\phxipsxsbpwulng.exe
      phxipsxsbpwulng.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2192
    • C:\Windows\SysWOW64\kdakqfny.exe
      kdakqfny.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2412
    • C:\Windows\SysWOW64\qgenthonixjfm.exe
      qgenthonixjfm.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2756
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2900
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1960

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Hide Artifacts

          2
          T1564

          Hidden Files and Directories

          2
          T1564.001

          Impair Defenses

          2
          T1562

          Disable or Modify Tools

          2
          T1562.001

          Modify Registry

          7
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
            Filesize

            255KB

            MD5

            b57c61d4f27dcfcd589d842787921bc6

            SHA1

            1f9e4b04f738230041d373aa6cb2360405ced80a

            SHA256

            d4a2a9cd648794da95b0930cc920212ec683b42647e15f864e84f92cafc7e5ad

            SHA512

            e308dcbe1027515b44e01e44dc14856a252e40a038e2bf0552c79bdb06851020440d752eae3a001b1271dd19f8bcfaf317cd4d81299036c421c28ae0bbe672a2

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            255KB

            MD5

            4ae272977719885482b5e56e02135ca1

            SHA1

            959755ecb061a71315c62b2c8f5ca7a0a95ee457

            SHA256

            d2bf17fe2b53a64b9e66dc0e4ff604ab2e4ceb1ed724b46e0755b8a9cd916828

            SHA512

            912187e190c89b74a4f581aba2b8219e7e95689c926eac4403d3a54f41fb2fdc18dbf131365ccfbb9a7ff5be1bccd174d8eb1cc620ca36235bb8bdd58c2985c5

            Download Submit

          • C:\Windows\SysWOW64\kdakqfny.exe
            Filesize

            255KB

            MD5

            02637564a945d9997e2688d26be04733

            SHA1

            a4a09cfcc232810a0a0b884c49069635b0197841

            SHA256

            151a1899f9faef4171bf329903b0581ed4c8463f52e99e270dad9371f851176c

            SHA512

            58f78f3cf8d8d12e17cceb72f7348afab39f064811ebe56bd9ca113e81c3856e4d50f40c90ea00c96f7e9dd8c32de621bb82fb5d9283d8d4cba2bf459b796643

            Download Submit

          • C:\Windows\SysWOW64\qgenthonixjfm.exe
            Filesize

            255KB

            MD5

            1435e13142b158805b3d96ed3f21adf2

            SHA1

            e9012622bc4cc321dbfc038a5ff453b19cfc69ed

            SHA256

            39454dcdb0f4537a3a9d038567d651890a5a7c7e8055ade0fd8cf57e00794c6f

            SHA512

            18c2da5e28ddf2f38bcfbec9a89291d8ebfb88702fd08aec3554af00a81dd95dcbf01f5fa3cd8d294728b68393cdd2ae59c76c148d4de9380d09c80ed2692b07

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\ekssfhmgew.exe
            Filesize

            255KB

            MD5

            f909590df10c9b4f662a2cb9b1c1a80a

            SHA1

            bd2f80fee3009aa44c6c64d55a2abb48de9ffa69

            SHA256

            84426df5a5664bd3aa62c68d30de5c3ccb10b4424938bae5f2b4f65d341899cf

            SHA512

            66699b237b5d0db59e62c6129a7457c2ffa34dc51a0405b4a2b6ce27e605a8af0a4f41804761abfd635cffdd5e50dbbbea5bbaa5ddb786e3339a2142a7935366

            Download Submit

          • \Windows\SysWOW64\phxipsxsbpwulng.exe
            Filesize

            255KB

            MD5

            74f5b171d28e1382b4ec8e071e6a8a77

            SHA1

            8eef4326cb33ba71519ba73d8afee764a9d6f5e4

            SHA256

            0326c2140e7ea1f8a536ab478ec4d0f86b8e094a4b893dcce04d9ee11e5fe5f1

            SHA512

            75427aef8290a4e298dabdd6fb0938df17ba3d9141b35b12110728b47efa9f93486acb198c03b39a28f86ded4872e8094153f18c406a591fa577397a1556e763

            Download Submit

          • memory/2192-71-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-75-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-127-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-28-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-96-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-130-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-124-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-87-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-121-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-81-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-118-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-99-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-115-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-112-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-109-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2192-102-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2412-76-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2412-82-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2412-73-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2412-88-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2412-92-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2500-42-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2500-30-0x0000000002240000-0x00000000022E0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2500-0-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2564-94-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2564-79-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2564-90-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2564-78-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2564-84-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2756-72-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-116-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-83-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-100-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-125-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-122-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-128-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-110-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-103-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-131-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-97-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-113-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-119-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-89-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-77-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-114-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-111-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-74-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-117-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-108-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-80-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-120-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-70-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-101-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-123-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-126-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-98-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-95-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-129-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-25-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2892-86-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download