Analysis

  • max time kernel
    152s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 16:37

General

  • Target

    e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    e55fdbfbab5a2d31ae484ae950d93920

  • SHA1

    6d08f719353b8d01c6abe393839d6102f7e59b7b

  • SHA256

    fb46af467e44e6c24e3cccf407daeb4c03e657829205345c2b77a6954ec87b7e

  • SHA512

    34884f4e79670950df8c7f3ac7367feb6a1db3c1d2b24de4117132c333db1dfeffe454322af55afdb2b4824c78e18617966e185067ba544f4ff69e2b26299ac0

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\SysWOW64\nbawubglfv.exe
      nbawubglfv.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\olutbftt.exe
        C:\Windows\system32\olutbftt.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2428
    • C:\Windows\SysWOW64\iysblbpxuvzxtns.exe
      iysblbpxuvzxtns.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2796
    • C:\Windows\SysWOW64\olutbftt.exe
      olutbftt.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2532
    • C:\Windows\SysWOW64\ebjltikyerlrc.exe
      ebjltikyerlrc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2896
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      50452b8c733bf1d6b1c3c907d3d79b13

      SHA1

      8bf1e0c7eecdf3ff56fbb43234f3aa2158f23deb

      SHA256

      183eba6637040530521a045c1a37cb85eaf0cc331c4f2a2e3e5e506477855507

      SHA512

      fb9ea72dae70bf083bbfbd4adf12b5040e505800f872c61cde14e1dec3fb994732b7c0edbfd5f3010863adba4988c310ba1a08c87550e3bcd122e77a872d1d94

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      b37a299bb41577f12b72cb0f2df36e7b

      SHA1

      078f5a2bc4b0f9340c84801e5754acad6dcf7fab

      SHA256

      721b6ff69bbb5ac68c875fee8264687f99286aa5fa1b2a58f7603970680c6b6b

      SHA512

      f4b338178f3ecbcc166df51fd99467aa8bfac14dc9cd0feb747c0f9b26bfe1cdcedd93017f3b1d3f91c149d38eb51392249e0eb90a5cc79fd7b450387c250067

    • C:\Users\Admin\Downloads\RequestUnlock.doc.exe

      Filesize

      512KB

      MD5

      2f5d7361d714fcb5fbac18c0d91f46e7

      SHA1

      54332c8aff1943edaf1420ec34db5248571cc512

      SHA256

      9d0b670a1b46abbc0f7a505d3636fcea055261e4e0c89ffef38d04a414421360

      SHA512

      e7030a781500a49cc1430e167b0bd5dea17f8baa8cfedcca422cd31027625930c7df41ea0f418408fe5ba6152b2aea3aedf9b8cad8a437a2c22d3522a21bc572

    • C:\Windows\SysWOW64\iysblbpxuvzxtns.exe

      Filesize

      512KB

      MD5

      095576075e4fc245601e91a20a205ca8

      SHA1

      5a8f92b0ccaaa8575ce13a7bc85d9b1033e20500

      SHA256

      df09ef797c80d16971327c74ea0a44a573cf853d04a0824fb286f01a395c2b36

      SHA512

      3d822d29cc0c513bdffd506aefd3bf1736cefcf20dc366d93a026550ada7a79a51c27f84dde5d28d76dc60cc43fdfee357258536915fdd7d4ae7775ebcaa620f

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\ebjltikyerlrc.exe

      Filesize

      512KB

      MD5

      c32c6a8646bd14e22e35bc82b9fcc145

      SHA1

      a3fe45e2062a2e94e92d761acc7f53ab7df50a61

      SHA256

      c2637a03142c93941f1c2f7274e041d8c7a2a3784059af4a3c6ce7e01990c80a

      SHA512

      8a5ab29e689569d8a7c291e2fc48d1c8914ded53d508a31080c7dc6d42817eabf9906ae4cd3067d822aed34427638162ee95ff49be29d546ccd65ff74cef9ffa

    • \Windows\SysWOW64\nbawubglfv.exe

      Filesize

      512KB

      MD5

      df12443936e65b5eb6f7d8c11062d83e

      SHA1

      5455181df0058dc94cd2934361a078823aa53a10

      SHA256

      8e2724c69be5a89afc186877fccbf14cd135fc375215289eb906d063e7232133

      SHA512

      e69091d0dbba17c91d477d0d72ff14e2cbdaf020fed90e3556b9f79a3f0d4d1f4c1bb642879e240c8f0c1adb3334686cb8811f6d0c57a7e5c8cda83a9a564eb9

    • \Windows\SysWOW64\olutbftt.exe

      Filesize

      512KB

      MD5

      0f10b314d2b84364cc9b79de099ce9cf

      SHA1

      f30e64f832f12f0de822601bb4a10bdc8f1e8271

      SHA256

      81bd42c4f8bae14510613fba0158c8c159d6db8d51a5093da4210fc543f822ec

      SHA512

      585c18b11a665d26c5aa442e3d2550f48210bdf87aa9987feadf74ff7072125fe7e9eea8125a698cf54c099f87ad6141a8c463bd8051e2971853c1dac4d80c08

    • memory/2936-47-0x000000007155D000-0x0000000071568000-memory.dmp

      Filesize

      44KB

    • memory/2936-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2936-45-0x000000002F351000-0x000000002F352000-memory.dmp

      Filesize

      4KB

    • memory/2936-79-0x000000007155D000-0x0000000071568000-memory.dmp

      Filesize

      44KB

    • memory/2936-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2980-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB