Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 16:37

General

  • Target

    e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    e55fdbfbab5a2d31ae484ae950d93920

  • SHA1

    6d08f719353b8d01c6abe393839d6102f7e59b7b

  • SHA256

    fb46af467e44e6c24e3cccf407daeb4c03e657829205345c2b77a6954ec87b7e

  • SHA512

    34884f4e79670950df8c7f3ac7367feb6a1db3c1d2b24de4117132c333db1dfeffe454322af55afdb2b4824c78e18617966e185067ba544f4ff69e2b26299ac0

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Windows\SysWOW64\wimlfaqlao.exe
      wimlfaqlao.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\SysWOW64\qngdyrdh.exe
        C:\Windows\system32\qngdyrdh.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2252
    • C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe
      azajxdyfmhzyrvo.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3484
    • C:\Windows\SysWOW64\qngdyrdh.exe
      qngdyrdh.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2868
    • C:\Windows\SysWOW64\etzyztlyjygre.exe
      etzyztlyjygre.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3248
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    9505118601fa7bc6ea0c38cc8ae7ed48

    SHA1

    e5fed845cf8d9e700567ad2a937f19af143a8fc9

    SHA256

    1442921b2aabb1bb2420a87c6bc342213799ce6ae4bde525f08bacb37d4b7de2

    SHA512

    4d1de0211c265f117a77eee03a668927d1503faa22766c56e1826d6a6ee626c5ffc050ac5cfbc2aabea65e79cdcaa78ab45f58d478754475c67ef8b87f0ea372

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    e5e6a11bd5b77b7718e5622b97a9f760

    SHA1

    803778c2022eba9642af20e288199c32248b0fa6

    SHA256

    469fc7cefbabf8a14391b27b2ab93e814132ee84838caa25fc9c60175c767860

    SHA512

    d6641d9281ab9f54af459eeb788dafe0c019665f6ea1a625c90af9835cb5125a530ef3f641f7e602851532d8c1fd8388e62855fdae7e52346c02466a1d42567a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    e9a4dc0ff09ee3e14f890f69efab32c0

    SHA1

    99e3fce9ab2e090faa2635a3a0d3dfef52866539

    SHA256

    161854919612b9241fe411ff2a30926ef655f838f7ad156edf157ed2fa70ecde

    SHA512

    6aef5ab94fc574ff6bd7058690e7aebbf518aad7aada9b05a38ee6c58fc42d3272e43425993909ab6e64deffe8b535a92172bb5c37bc65472201c0d690c60168

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    0e70f6489aede499a007869054eff81e

    SHA1

    b0ffa38f07abd3d9f2d22c74ebe73ce2f667a410

    SHA256

    39c6280843003b1eea756d5c5dc6db41e0bc4389a3ae488a57aa4ec567201ebe

    SHA512

    e47045caa74786d04b05a3754bf5c850be3b104b21ea821514e7a1bd63caf3b59ac5133f88d19f8e56f5c2c20233dfbf729a6e01871a58226a7295923da2e8ae

  • C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe

    Filesize

    512KB

    MD5

    18eaee2ba00f9de5399f8d658aee3901

    SHA1

    566240e2af1c6fd017c7b9456a187179da9e5683

    SHA256

    a58c3dd8146fccf65e2c6f529bfb170cde223eaa13a9323458d756579f01a2b2

    SHA512

    9bbb64065969d424a69888b54e9040845d74a603d5f12438887c04a6514ab236be1456b774028a9d33e4cf0048215f70ccffb5f71354916f0d5b8b2a3864d824

  • C:\Windows\SysWOW64\etzyztlyjygre.exe

    Filesize

    512KB

    MD5

    b590ebcdbcea0fb73a5cda19c726b27d

    SHA1

    80d6a6467b1ff19173cb1ae095e8556ddec0fa7f

    SHA256

    eb9e7cc6ac0ea6ee89ba0db05f09edcb69f7a54add72fbe7b8dc71cd91270773

    SHA512

    7af9c7b2b7a289bd7ca80cfeb06c3542b5f246da64d7a400a6afab35e3989ba471da058020f9e171cc5b21fae2a92f7813ca45375d8724c0bbe4d90ccde1e24a

  • C:\Windows\SysWOW64\qngdyrdh.exe

    Filesize

    512KB

    MD5

    b4e0e249209ca52c144bb2401662177d

    SHA1

    8439630068fb2a4be95533e7464668075897f57e

    SHA256

    dce90f91701f6a0a80f582d8c7c9bb232d7ea036d7d65c7eceeed2995a5316ce

    SHA512

    07d50444f016ef50c23f71c146385181b6057aeecb5fa82e093cbb9b5c29a9419e37c85e22f86724414961b08ea11b0f5635ed8b7229a5522a9a54c406dc3382

  • C:\Windows\SysWOW64\wimlfaqlao.exe

    Filesize

    512KB

    MD5

    0359e95ca9cab0d440e3aa2c8be792aa

    SHA1

    8be9c0b301c1ee11b6063a326d7bded1d04b289e

    SHA256

    759b3b1f4fe2bd4a6a212d285b6c0634db8390489e5712016ac1e4eb99ea3398

    SHA512

    407311d6cb6ec5b4263a81e2095f870c14e5aaf52f470be39d5ab0da0d241d23a50eb4ad2ada1d582973f480aeca34d142beb39557c3a73121aeed6219e36c22

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    78eea428e7c67130f1948aace9698429

    SHA1

    169e62540caa20c29156688e7f46013155c76507

    SHA256

    ab21a4f40132f79c434a11ef0021f9d635027bea7dd19c35b692bc8c75e3aa3d

    SHA512

    b73bacc4d3622b7aa800732941e5150d71b699c95dc964c76bf268650f11b7900a70cee1dd16834dcebad01f462b2bb90814528a95d13afe5ce323bb52124313

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    5c03015e09d0ff4da0cda323d4468c6f

    SHA1

    fa10d6c28cb5d1447f9b4bc49c483ebd462c68c1

    SHA256

    eba77538551e80207e7312b207b0e1c50dba091795d312153f50e44539aaa944

    SHA512

    d0f10f78f5f1e856769acf666d47a7330c7c6def8964e04265dc248b23fca9242ca38f3852ce6fb3974bfbbbe7dd76038d7a2acaf78dc3cd6879338b675a39ec

  • memory/3200-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/4156-40-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-44-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-47-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-49-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-48-0x00007FFC62C40000-0x00007FFC62C50000-memory.dmp

    Filesize

    64KB

  • memory/4156-51-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-52-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-50-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-53-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-54-0x00007FFC62C40000-0x00007FFC62C50000-memory.dmp

    Filesize

    64KB

  • memory/4156-55-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-45-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-41-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

    Filesize

    64KB

  • memory/4156-46-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-39-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

    Filesize

    64KB

  • memory/4156-37-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

    Filesize

    64KB

  • memory/4156-38-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-36-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

    Filesize

    64KB

  • memory/4156-35-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

    Filesize

    64KB

  • memory/4156-107-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-108-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-109-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-134-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

    Filesize

    64KB

  • memory/4156-135-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

    Filesize

    64KB

  • memory/4156-136-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

    Filesize

    64KB

  • memory/4156-137-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

    Filesize

    64KB

  • memory/4156-138-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB

  • memory/4156-139-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

    Filesize

    2.0MB