Analysis

  • max time kernel
    154s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 20:17

General

  • Target

    e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    e5c5edde770bc5b229112f11f43f5019

  • SHA1

    d6d44d7f15069d4cfac2ab87b868ad0c63ce5644

  • SHA256

    42bfaa077ffeb81706e21042ac4f55b206b9409be8f0c907b1d34e256652f080

  • SHA512

    a3301dbcfff1b7be416a333050379b70cd1d6c6032155e0e118d582e2f8563235eb47f0903e915ce8a9a5d5eb587c642f000c7a192336f111ece26a2cfa019cc

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6n:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\uycmgagtlh.exe
      uycmgagtlh.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\SysWOW64\hoxhqqot.exe
        C:\Windows\system32\hoxhqqot.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2488
    • C:\Windows\SysWOW64\jbclzoujlwqpavc.exe
      jbclzoujlwqpavc.exe
      2⤵
      • Executes dropped EXE
      PID:2184
    • C:\Windows\SysWOW64\hoxhqqot.exe
      hoxhqqot.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2596
    • C:\Windows\SysWOW64\ucsbjfwwmwipd.exe
      ucsbjfwwmwipd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2668
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      1d4526696f3c654324c2f13414d31ab6

      SHA1

      9052785a3d414456db6d57155d2940cb12bbee38

      SHA256

      318b3d52e668a78d122ae095bea6fd374fb6457e965d718560d38fb5ad5ae8fe

      SHA512

      1ce137e1c41b0c4b8fdf993886eb4392215d98af3cd97d202f6dafde5053d0ef3a3ebb0ca7de29e7c2c586052b37d4043d9e86c9bd1bd2e7c367d869f158ec5a

    • C:\Users\Admin\Documents\UseMerge.doc.exe

      Filesize

      512KB

      MD5

      f097d4c13df4cf9277c737ac6448e1ee

      SHA1

      ac206ca9a5ef59c34afa5bda3a56f61ec1039858

      SHA256

      856de1931be205053b01f4187a667e742616c38d925c7948c518c71d5a599501

      SHA512

      dc45c1986b84422dd4dd827b6bf9f7d7e10e273e9df76a28217f981961fa142cd1f7668331d652c3ac0076e5cf77d248844bfa4a8df65140aaefd4cec0844175

    • C:\Windows\SysWOW64\jbclzoujlwqpavc.exe

      Filesize

      512KB

      MD5

      5af54055a4a6f2b04c977917e2f6ce28

      SHA1

      b14582448e4bc274b12dbe2fe848ec7d75f7d320

      SHA256

      daaab1d096287790a51925475b5fa885d4fb9119ff7ef7f2564242e08ec33bb6

      SHA512

      356222f49c698452cc0c5c3da13fad54828b401b1d9f899f17d191f01fb83845f9804896de33df8d4eb194929d20335c046300281bdcea291642b3324881a9ae

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\hoxhqqot.exe

      Filesize

      512KB

      MD5

      ce009da4b5c2663bea0ba8a6c521e854

      SHA1

      35756e7b084b48b77172c7a77c64e18e467ee14a

      SHA256

      44cf0569fe956800d50fdecdce7979d4561caf63c4ddf5889b70a170563990be

      SHA512

      e03aa73b09a6abf41205d28724c679f83a677c4310795e101d1b4125fe87d8183079073f4173fa787e80f69a7291638946f1b920f1392128569b0b638bf8f826

    • \Windows\SysWOW64\ucsbjfwwmwipd.exe

      Filesize

      512KB

      MD5

      2dc8651d25c96a6b27d2965292a43708

      SHA1

      fa57366476686b16856a504e3501ba69424b4c02

      SHA256

      273f9a2e35f6a121ec3f4781a2fc412500e74405eb0e5acfc624780170e9c07c

      SHA512

      83296e07495785cd2cbcb1731a88ad1ea903cbd192e7c46211b0960fa14ebd09eafb99d6294b7ba6ee09d5cf6d08db2879ddfc252b56e37c5be0eec091cda30d

    • \Windows\SysWOW64\uycmgagtlh.exe

      Filesize

      512KB

      MD5

      c26ae97963bd2a22bd027cb77b55a4d8

      SHA1

      dcc2f68e0cc93eaba7a06b598779f329009cf510

      SHA256

      cd5d1b0881591fc388e138067d613cec7fc19fec283d53814327530731f542f1

      SHA512

      599dddb510216fd5d680eab104c9688bdd960227e607a341c109e38aee89bfbca81d4fd83f4297648485f04e3866580a9c6c33b9f841fd57cae23b59c013187c

    • memory/2272-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2588-44-0x000000002F911000-0x000000002F912000-memory.dmp

      Filesize

      4KB

    • memory/2588-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2588-46-0x000000007152D000-0x0000000071538000-memory.dmp

      Filesize

      44KB

    • memory/2588-83-0x000000007152D000-0x0000000071538000-memory.dmp

      Filesize

      44KB

    • memory/2588-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB