Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 16:41

General

  • Target

    e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    e5617b2da499c88bc5802c3f8e952737

  • SHA1

    02e66f0d3952156d43eeec37b793d7065d9fcfc1

  • SHA256

    f48046909760b08428a87969d87f465e64c1fdaeccc3ee5a9050eab9037828d1

  • SHA512

    74545ecf513052eea5fc20a04bed4a1cc1c5c768ee33b201b732385f95f559bd9114be4a5fa5d1268115139ca3baee37df67c25156ec1d48d9503883d4505678

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6B:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e5617b2da499c88bc5802c3f8e952737_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\lrdufovhda.exe
      lrdufovhda.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\gppmilix.exe
        C:\Windows\system32\gppmilix.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2680
    • C:\Windows\SysWOW64\txrkctxivszdvvj.exe
      txrkctxivszdvvj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c mccbvvsmmamva.exe
        3⤵
          PID:2632
      • C:\Windows\SysWOW64\gppmilix.exe
        gppmilix.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2544
      • C:\Windows\SysWOW64\mccbvvsmmamva.exe
        mccbvvsmmamva.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2572
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:524

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

        Filesize

        512KB

        MD5

        ad61b9d0b935e34c4ae957b35e8ef9cd

        SHA1

        8fbdbc5d4e04c9a1d1644e65bf44430f614e5d54

        SHA256

        8e93110b81981f2351df975aa160c071cd83619604434f68ee644e69d2005780

        SHA512

        14d45a9897799035f2262c596a0a366859e4e3b496e02e4c10cafb0587e782d0201d2cd684df1cab3a698214444580da445a2fcb0bc1d02bd7bd6bd38043a383

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        54f92513155744724961563a4a04f63e

        SHA1

        d5cebead3c6f8235906f0a674723844a6295bfdd

        SHA256

        813423b36c35fe950e3759636dae2b6a3f907f6f507ed574fe2a2a5d1493757a

        SHA512

        48ac9e96979b09b35fa8bc679aad7089ae1efd86115e8b7319169b6117a919fd28114af3b82101b9aee4b33685fd956fd146abed9ac25434a86b2b2f233e5340

      • C:\Windows\SysWOW64\txrkctxivszdvvj.exe

        Filesize

        512KB

        MD5

        d3109b83c25cd435548f5b3af1e111dd

        SHA1

        fe5fc3f946e130142b45eb5bb2c20c5fa4a1d804

        SHA256

        9828ec4e274edd1322191b5a51bef8268811bff10e2b0e871053f3a2795bc487

        SHA512

        8fd3e6c31616a3330472d373bc5f0fa82eccbbab6c9aaa6c3d8a7285b9103a2d4454985832a36007aa5827ab23c986aa1ba31b8974b4c8ad3982245a3d0d3672

      • C:\Windows\mydoc.rtf

        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      • \Windows\SysWOW64\gppmilix.exe

        Filesize

        512KB

        MD5

        1d1048be730d0cf51f329be152954d97

        SHA1

        1c8608aa14ef9b089d03de672ce3e65dc451fecc

        SHA256

        0904ef4ff2389e7d65c26924e28df3d5a81017cc6fd61970171908089a97f1c2

        SHA512

        675e56da872013a54d32b90caf224fc9284319464654a4c09cefc9e820b6c679ee44a25037fbdc87d6772c1be5cd467ee1aa579edabe49c65b7db8f7eb56213e

      • \Windows\SysWOW64\lrdufovhda.exe

        Filesize

        512KB

        MD5

        19f7e5015cc19dd4a0a23afb69e08edd

        SHA1

        424475fa4af4b5de80174bfb41c1c2f6cf95c227

        SHA256

        970e3f94008dcf9fb0181695f942c7eb71aaf36991d23a8e3b7b4383176a0207

        SHA512

        0688e40262dd75edf8e26650f168ef715d3a652b9e60ecbca5cf2df3f575b13835da0fd91a2b52963f9dedfb5b0b92e81536986435d4aa2ce3761dce7101fc07

      • \Windows\SysWOW64\mccbvvsmmamva.exe

        Filesize

        512KB

        MD5

        b370c562a0c29072d9ae1ee969176ea7

        SHA1

        e25c723ec7836f6b1be03c70835abb6928ec8633

        SHA256

        7a3a0447f965b999e6d5ab218d669b8e59f8726a1aefb4468c9dd8cbb2c4871c

        SHA512

        e6e0e259a1bab6963491f281a4ad959a37b695d3da2e025624679212a49c7de8780e55b23af26a0f876526b39fa59580c19366d499bcabdb985ec5cfeab1ee0c

      • memory/2372-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

      • memory/2872-45-0x000000002FE31000-0x000000002FE32000-memory.dmp

        Filesize

        4KB

      • memory/2872-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2872-47-0x0000000070CAD000-0x0000000070CB8000-memory.dmp

        Filesize

        44KB

      • memory/2872-81-0x0000000070CAD000-0x0000000070CB8000-memory.dmp

        Filesize

        44KB

      • memory/2872-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB